Security policies, by their nature, attempt to comply with all regulatory requirements to be met by the organization. The word attempt is used to reflect the balance policies create. The policies must balance achievable goals, best practices, and interpretation of regulations. This balance requires compromise. That’s why the legal department is a key stakeholder in creating security policies. The legal department ensures the security policies are defensible with regulators and in the courts.

The regulators look first at the organization’s policies. They assess if the policies are reasonable and conform to guidance. The regulators ensure core requirements are met regardless of whether the organization feels they are achievable. However, even regulators must interpret legal language, and they may do it differently than your organization.

For example, under the Graham-Leach-Bliley Act (GLBA), organizations must notify regulators promptly of any unauthorized access that breaches customer financial records. You need to figure out what constitutes an unauthorized access or breach. There are clear examples, such as an outside hacker. There are also gray areas. If a teller accesses an account out of curiosity, would that be a reportable breach under GLBA? It could be. Regulators provide threshold guidance. It’s doubtful a bank would notify a regulator over one customer account accessed inappropriately by an internal employee. It’s not uncommon for a threshold to be set at 1000 or more records. That doesn’t mean the breach of a single account isn’t important. Thresholds are a practical way of assessing the magnitude of a breach. Even a single account breach can have significant impact. Assume, for example, that a single account breach identified pervasive control weakness. Pervasive control is a term used to mean a control that is widely used across the enterprise. As such, that single account breach can identify a control weakness that could have led to a much bigger breach.

Pervasive control weaknesses are of interest to a regulator. For example, assume that a retail account statement was found in the possession of an employee who had no authorization to have the document. Suppose it was later found that the employee picked it up out of a trash bin on a loading dock. Although only a single document was removed, the breach indicates a much bigger problem. If there was a general lack of controls for secure disposal of customer account documents, then that would be considered a pervasive control weakness.

Regulatory guidance addresses most gray areas in the law. The key point is that organizations need to establish a risk management program that ensures security policies address legal requirements. The risk management program also ensures these policies are enforced. It is important to provide regulators with evidence that the security policies help manage risk as well as prevent breaches.